OMB Memorandum 17-12 and Privacy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
Hello everyone.
00:02
It's chris again and I'm
00:04
cyber is instructor for its US information privacy course.
00:09
I hope that you're having a great day wherever you are
00:12
looks like the weather is broken here for us in Maryland
00:15
so we should have a good stretch of good weather
00:19
and I'm thankful for that.
00:21
Less than 3.4
00:23
we're going to continue our discussion on the Office of Management and budget is guidance that it provides to
00:30
executive branch agencies and the federal government as it applies to privacy.
00:36
You know a. b. memorandum 1712
00:39
it's abuse not only to those agencies and the executive branch that must comply with it
00:44
but those of you that our privacy
00:48
Professionals in the private sector you may find that only be memorandum 1712 is a useful tool
00:55
because it helps organizations
00:58
and preparing for and responding to breaches of personally identifiable information
01:06
we have to learning objectives.
01:07
We're gonna talk about guidance at this
01:11
memorandum gives executive branch agencies on how to prepare for a breach of P. Ii. And we're also going to talk about those response requirements stated in memorandum 17 12. All these agencies
01:25
can respond to a breach of P. I.
01:29
Now it's extremely important you in the private sector to continue to look
01:33
beyond your own policies, procedures, guidelines and standards
01:37
to look externally for
01:38
best practices on how you can improve your organizations institutions or your company's
01:46
incident response procedures
01:49
and other procedures that pertain to privacy.
01:55
So let's talk about A. And B. Memorandum 17 12.
01:59
It is
02:00
a really wonderful tool
02:02
it provides you with great insides templates and guidance on how to prepare for and respond to a breach of P. I. I.
02:12
It
02:13
replaces several
02:15
previous
02:15
one B. Memorandum that dealt with the incident response
02:21
as it applied to a breach of P. I
02:23
won't be memorandum 17 07 16
02:28
one B. Memorandum 06 19 and only be memorandum 16 or 0615 My apologies.
02:38
You know A. And B. When it provided this guidance, it understood that
02:43
not only private sector organizations but public sector organizations also processed
02:49
P. I.
02:50
That had engaged in
02:53
information
02:54
lifecycle management, the collection use
02:58
processing, storage, maintenance, dissemination, disclosure and disposal of P. I.
03:04
And I wanted to make sure that on that fateful day should an organization experience of breach P. I. I was prepared to do so.
03:13
You know, we talked about P. Ii. We've talked about and defined it in previous modules. We talked about names, addresses, dates of birth,
03:21
your places of employment.
03:23
We talked about Social Security number. Other government identified themselves. Now we're talking about precise locational data, medical history, biometrics and others.
03:35
And we have a responsibility as organizations to ensure that we're protecting that information from the time is collected until the time we dispose of it.
03:45
You know on that fateful day you can't just wake up and address a privacy breach
03:52
at that time it's too late. You have to be prepared for it in this memorandum will assist you in doing so.
03:59
You know we've defined P. Ii. We've talked about any information that distinguishes our traces
04:06
uh individual or can be linked
04:09
directly and directly to an individual as to find. And I wanna be circular 81 30
04:15
as we talked about previously.
04:16
Now one thing that memorandum 1712 does it makes a distinction between what's an incident and what's a breach
04:26
when we're talking about incidents? Security incidents. No they it defines an incident as an occurrence that one actually imminently jeopardise us without lawful authority. The integrity confidentiality or availability of information or an information system or two constitutes a violation
04:46
or imminent threat of violation of law, security policies, security procedures or acceptable use policies.
04:54
Now it defines a breach as the loss of control compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrences were one a person other than an authorized user excesses or potentially accesses person identified information or to
05:14
an authorized user accesses and potentially accesses personally identifiable information for other than authorized purpose.
05:23
So it seeks not only to prepare organizations for external threats but also internal threats.
05:32
You know,
05:33
it has
05:34
ways that you can prepare for it and talked about training and awareness camp planes which are extremely important. You can't hold individuals accountable if you haven't trained and then assess the level of that training.
05:47
It also accounts for addressing disclosures of Privacy Act routine use information like we talked about during our discussion on the privacy after 1974
06:00
so that when you have system of records notice is they have to address the routine uses of the disclosure, potential disclosure of P. I.
06:10
And in the cases of breaches, which requires some type of notification that we're going to talk about
06:15
talks about, you know, requirements for contractors because you could have a breach that occurs at a contractor site and so they need to be prepared to respond to. Those.
06:27
Also talks about the need to also have and identify logistical and technical support that you might need that's not already on your staff. So you may have to budget for that as your accounting for potential breaches in the future.
06:43
You know, this memorandum has requirements on reporting on suspected or confirmed breaches
06:49
and it says that,
06:50
you know, you have to these agencies have to report these bridges even if you suspected because any to land the notification could expose organization or individuals to greater harm.
07:02
It talks about the importance of establishing a breach response plan,
07:09
identifying a breach response team. Makes you have the applicable privacy compliance documentation documentation on hand, ensuring that you have the information sharing procedures in place to assist you in responding to a breach reporting requirements
07:26
To us cert within 24 hours of a breach into Congress within seven days of the discovery of the breach. And then I follow up within uh 30 days
07:35
talks about the importance of assessing risk of harmed individuals, mitigating uh risk of harm, then notifying individuals potentially harmed by the breach.
07:47
We've talked about the external reporting requirements again too,
07:53
U. S. A certain
07:55
Computer emergency response team within 24 hours
07:59
of realizing that the breach has occurred,
08:01
Uh notifying Congress within seven within seven days with a follow up within an additional 30 days.
08:13
You know, when we talk about assessing harm to individuals, it's extremely important.
08:20
And things that you should consider are
08:24
the nature and sensitivity of the
08:26
P. I. Potentially compromised by the breach, the likelihood of access and use of that P. I.
08:33
A. Type of breach.
08:39
Question one asked the question
08:41
Won't be Memorandum Team 12 provides federal agencies and the executive branch with what
08:48
the appropriate answers are. B. And D.
08:54
Question to ask, how does one be Memorandum 17 12 to find an incident?
09:01
The appropriate answers are A and D.
09:07
Won't be Memorandum 1712 defines a breach as what
09:16
the appropriate answers are. B and C.
09:22
Question four asked
09:24
federal agencies must notify the appropriate congressional committees and compliance with which reporting requirements.
09:33
B and D.
09:37
Kunshan Five asked a question about the Ceo who manages this process.
09:43
The same shall consider which of the following factors when assessing the risk of harm to individuals potentially affected by the breach.
09:52
The answers are A C and D.
09:56
You know, having work in the
09:58
private sector for some time.
10:01
You know, I have supported agencies that was funding for two breaches because it's not if it's when it affects you and breaches occurred, not only in the private sector for the public sector.
10:11
What's important is that we, as privacy professionals,
10:16
are prepared to respond to
10:18
and also are prepared for dealing with breaches so that we protect our organizations from any potential rescue harms associated with the breach.
10:30
We talked about
10:31
17 12 16 agencies are preparing for potential breaches and responding to those. Its definition of incident in breach
10:41
reporting requirements
10:43
had us as harm.
Up Next